How can I verify Remote Role Groups via TACACS+ auth

Hello. My F5 v11.4 and 11.3 devices have tacacs authentication to AD for admin access to gui and terminal. We do however create F5 local users for this to work. So use my MS AD user name and password...

application delivery

BIG-IP Access Policy Manager (APM)

LTM

management

security

Cory_50405
Apr 04, 2014
So here are the specifics of the configuration we are using:

Cisco ACS 5.3 as our TACACS server Under Policy Elements -> Authorization and Permissions -> Device Administration -> Shell Profiles, we defined multiple profiles depending on the level of authorization for the remote users. I'll detail our administrator role, but the other roles can be built accordingly.

Under the Custom Attributes tab of the shell profile for the administrator role, our attribute is 'F5-LTM-User-Info-1', with a value of 'adm'. You then apply this shell profile to the ACS group that you want to be able to have administrator access to the BIG-IP.

Our corresponding remote role config in the BIG-IP looks like this:

/Common/F5_Administrator { attribute F5-LTM-User-Info-1=adm console tmsh line-order 1 role administrator user-partition all }

All of the AD specific user and group information should stay between the TACACS server and AD.

Forum Discussion

How can I verify Remote Role Groups via TACACS+ auth

Recent Discussions

What is the meaning is 52% block in WAF

Rundeck ansible F5 errors

rewrite Azure AD response for portal access via web portal

AS3 Monitoring multiple ports selectively

Open Redirection Mitigation

Related Content

TACACS+ Remote Role Configuration for BIG-IP

TACACS+ External Monitor (Python)

Verified Design: SSL Orchestrator with Palo Alto NGFW Virtual Edition-Part 1

Verified Design: SSL Orchestrator with McAfee Web Gateway-Part 1

Integrate F5 Distributed Cloud remote logging with ELK